CVE-2013-0177

Vulnerability Description

Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://ofbiz.apache.org/download.html#vulnerabilitiesVendor Advisory
• http://osvdb.org/89452Broken Link
• http://osvdb.org/89453Broken Link
• http://packetstormsecurity.com/files/119673/Apache-OFBiz-Cross-Site-Scripting.htThird Party AdvisoryVDB Entry
• http://seclists.org/fulldisclosure/2013/Jan/148Mailing ListThird Party Advisory
• http://secunia.com/advisories/51812Third Party Advisory
• https://exchange.xforce.ibmcloud.com/vulnerabilities/81398Third Party AdvisoryVDB Entry
• https://fisheye6.atlassian.com/changelog/ofbiz?cs=1432395Broken Link
• https://fisheye6.atlassian.com/changelog/ofbiz?cs=1432850Broken Link
• http://ofbiz.apache.org/download.html#vulnerabilitiesVendor Advisory
• http://osvdb.org/89452Broken Link
• http://osvdb.org/89453Broken Link
• http://packetstormsecurity.com/files/119673/Apache-OFBiz-Cross-Site-Scripting.htThird Party AdvisoryVDB Entry
• http://seclists.org/fulldisclosure/2013/Jan/148Mailing ListThird Party Advisory
• http://secunia.com/advisories/51812Third Party Advisory